We have a static HTML site built in 2013 that we maintain. We got a notification from Godaddy that there were malicious files in the website. I started to remove them, but wanted to see what was in them. When I opened one of the files that was 3 level into the website it was extremely complicated. It looks like part of many arrays and just pulling parts of multiple arrays. I believe the end goal is to assemble the final script. It looks like this.

Another interesting thing about this attack is the date of the file. It is from 2013. I had made a complete back of the site on 2/15/2016, but the bad files were from 2013. None of the bad files were in my back in 2016.

Nothing was solved. I removed the old files and updated the .htaccess file. I found it interesting how the date could be manipulated.

If often get asked why someone would attack a website. It is often for financial gain. If the attacker can get a hold of your credentials then they can impersonate you on-line. Meaning if they get your bank credentials they will have access to your bank. If they get your Apple ID credentials then the can access you Apple account and buy stuff.

I got an email from Apple today to login to my account.

In this image you can see that when I put my cursor over the hyperlink in the email it is going to “natuursteendoker.be/zooology.php”. I see attacked websites with strange named PHP files with redirects in them. This can easily redirect a user to site ready to deliver a malicious payload or virus. Could be a key tracker that phones home with each key stroke or screen captures every 5 seconds.

We recently installed a Barracuda firewall and accidentally left “Proxy” on. This caused our IP to used as a spam relay which got our IP put on a blacklist. A trace route from our server to mtb.com showed the packets getting to MTB.com and stopping. We assumed it was MTB.com blocking the ip.

MTB said they get their blacklist for outside sources. They directed me to the following site were I was able to submit a request to get the IP off of the blacklist.

I could see that the IP was showing as suspect. I clicked on the “IP Reputation” and submitted the IP for review. I knew the proxy issue was resolved the IP should be cleared. This didn’t resolve the issue.

I discovered Barracuda has their own IP blocked. This showed our IP as not having a “poor” reputation.

Had a customer call in because he was on the LA Times website and clicked on a link that caused his browser to pop-up a Microsoft warning. The warning said he was infected and needed to pay. He hit control-alt-delete and closed chrome. He restarted his machine and called us.

I opened Chrome and looked at the start page. It was set to “http://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND”. When I put that URL into another browser it took me to just Google. I figured the rest was unecessary and reset his home page to just be “http://www.google.com”.

I downloaded a rootkit scan tool from Bleeping Computer and ran a quick scan. We also use Vipre Anit-virus. I updated the difinitions and ran a full deep scan with Vipre. Nothing else was wrong.